I am building a site using MVC and am using DotNetOpenAuth. I just had my friend test out the login flow of my site on my computer. He used his gmail account, but after he was done, I went to gmail.com and it automatically logged in as him, since he was still authenticated against it.
This seems like a pretty big security issue. If I’m on a public computer and I sign into a site that uses OpenId, I might not necessarily realize how important it is to sign out of that site, and it’s possible that site doesn’t even have a Log Out link or properly implemented it. Is there any way, at least with DotNetOpenAuth, to authenticate the user but not necessarily have them “sign in” to their openid provider?
No, there is not. That is, it is up to each OpenID Provider to decide how long the login session for their users should last. And most tend to keep them signed in with a standard session cookie.
The general solution for this is when your friend is on your computer, he should never click “Remember Me” and should always close the browser when they’re done. That’s the only way to assure full logout of all web sites.